A Victory for E-Privacy

Uncle – the federal government – just got a much-needed slap down from one of its own courts, which had the guts to tell Uncle he’s got no jurisdiction outside the United States.

The case at issue involved an attempt to force Microsoft (and in principle, other tech companies) to turn over customer data stored on servers located overseas. The pretext in this particular case being the “war” on some “drugs.” You know, the ones the government arbitrarily decrees to be illegal, as opposed to the other “drugs” – like alcohol – it says are ok.

The “war” on these arbitrarily illegal “drugs” (along with the other catch-all excuse, “terrorism”) apparently justifies pretty much any over-reach or abuse by federal authorities.

Including demands that an American company do something illegal in a foreign country. Like turn over access to data based on a U.S. search warrant… which isn’t valid in Dublin, Ireland – where the server happened to be in the Microsoft case.

The government’s position being that an American company is subject to American law – even when it is doing business outside the physical and legal boundaries of America.

It asserted this claim – which the Irish found startling – under the ancient (1986) Electronic Communications Privacy Act – which didn’t take into account technological developments such as e-mail servers located overseas. Because back in ’86, there was no e-mail. If the government wanted to read your mail, it had to get a search warrant issued by a judge. Both mail and judge were located inside the physical boundaries of the United States.

The ECPA is as out of date as Ocean Pacific shorts and David Lee Roth’s toupee.

But unlike OP shorts and Roth’s bad hair, the ECPA is dangerous.

It’s not merely that American companies faced the prospect of being strong-armed by the government to turn over customer data contrary to the laws in force where the data is stored.

It’s that foreign countries might decide to return the “favor.”

If it’s ok for our government to ignore the laws of foreign countries at will, why shouldn’t foreign countries, tit for tat, ignore American laws when it suits their purposes? If, for instance, our government can compel Microsoft to hand over customer data stored on a server somewhere in Europe – data that might belong to an American citizen but which has never “crossed the border” into the physical United States – why should a European tech company that is housing Americans’ data in New Jersey respect American laws regarding privacy protections or anything else?

Including, among other things, intellectual property and copyright laws? What’s to stop them from “accessing” data they regard as “important” to some purpose of their own, whether “investigative” or otherwise?

ECPA never anticipated any of this because it was written before the dawn of the digital age and the existence of non-physical data stored electronically virtually anywhere on earth, as the U.S. Court of Appeals for the Second Circuit in New York noted in its decision last week. The court rejected as invalid the original warrant issued to Microsoft by Judge James Francis of the District Court for the Southern District of New York, which ordered Microsoft to turn over all e-mails and user information belonging to a drug trafficking subject under federal investigation. Microsoft turned over data stored on servers located within the legal jurisdiction of the United States but withheld data stored outside the United States on its servers located in Dublin, Ireland.

Microsoft’s lawyers argued that U.S. courts don’t have the authority to issue warrants for “extraterritorial search and seizure.”

Circuit Court Judge Sarah Carney agreed with Microsoft’s lawyers on this point, writing in her opinion on behalf of the three-judge panel that ECPA “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.”

Apple, Verizon, Accenture, Backspace and other tech companies wrote briefs in support of Microsoft’s position – and cheered the decision of the Second Circuit as a victory for privacy and sanity.

If the court had rejected Microsoft’s appeal of the original warrant, the blowback – against Americans – could have been severe. There is nothing to prevent foreign governments from applying their own laws against Americans – and their data – except for the mutual goodwill between governments and mutual respect for the others’ laws.

If our government insists American law trumps the laws in force overseas, why on earth should other countries consider themselves bound by our laws when doing business “overseas” here in the United States?

Judge Carney wasn’t defending “drug traffickers” in her written opinion. She was defending the rule of law.